HomeMy WebLinkAboutC-9356-1 - PSA for Network Penetration Testing1
M
C5' PROFESSIONAL SERVICES AGREEMENT
1 WITH SHOREBREAK iTHREAT SECURITY, LLC FOR
NETWORK PENETRATION TESTING
THIS PROFESSIONAL SERVICES AGREEMENT ("Agreement") is made and
entered into as of this 6th day of June, 2023 ("Effective Date"), by and between the CITY
OF NEWPORT BEACH, a California municipal corporation and charter city ("City"), and
SHOREBREAK iTHREAT SECURITY, LLC, a Delaware limited liability company
("Consultant"), whose address is 2028 E. Ben White Blvd. Ste. 240-2650, Austin, TX
78732, and is made with reference to the following:
RECITALS
A. City is a municipal corporation duly organized and validly existing under the laws
of the State of California with the power to carry on its business as it is now being
conducted under the statutes of the State of California and the Charter of City.
B. City desires to engage Consultant to provide City network and application
vulnerability penetration testing. Areas of testing to include: external network,
external web applications, internal network & application, and social engineering
phishing campaign ("Project").
C. Consultant possesses the skill, experience, ability, background, certification and
knowledge to provide the professional services described in this Agreement.
D. City has solicited and received a proposal from Consultant, has reviewed the
previous experience and evaluated the expertise of Consultant, and desires to
retain Consultant to render professional services under the terms and conditions
set forth in this Agreement.
NOW, THEREFORE, it is mutually agreed by and between the undersigned parties
as follows:
1. TERM
The term of this Agreement shall commence on the Effective Date, and shall
terminate on June 30, 2024, unless terminated earlier as set forth herein.
2. SERVICES TO BE PERFORMED
Consultant shall diligently perform all the services described in the Scope of
Services attached hereto as Exhibit A and incorporated herein by reference ("Services"
or "Work"). City may elect to delete certain Services within the Scope of Services at its
sole discretion.
3. TIME OF PERFORMANCE
3.1 Time is of the essence in the performance of Services under this Agreement
and Consultant shall perform the Services in accordance with the schedule included in
Exhibit A. In the absence of a specific schedule, the Services shall be performed to
completion in a diligent and timely manner. The failure by Consultant to strictly adhere to
the schedule set forth in Exhibit A, if any, or perform the Services in a diligent and timely
manner may result in termination of this Agreement by City.
3.2 Notwithstanding the foregoing, Consultant shall not be responsible for
delays due to causes beyond Consultant's reasonable control. However, in the case of
any such delay in the Services to be provided for the Project, each party hereby agrees
to provide notice within two (2) calendar days of the occurrence causing the delay to the
other party so that all delays can be addressed.
3.3 Consultant shall submit all requests for extensions of time for performance
in writing to the Project Administrator as defined herein not later than ten (10) calendar
days after the start of the condition that purportedly causes a delay. The Project
Administrator shall review all such requests and may grant reasonable time extensions
for unforeseeable delays that are beyond Consultant's control.
3.4 For all time periods not specifically set forth herein, Consultant shall
respond in the most expedient and appropriate manner under the circumstances, by
hand -delivery or mail.
4. COMPENSATION TO CONSULTANT
4.1 City shall pay Consultant for the Services on a time and expense not -to -
exceed basis in accordance with the provisions of this Section and the Schedule of Billing
Rates attached hereto as Exhibit B and incorporated herein by reference. Consultant's
compensation for all Work performed in accordance with this Agreement, including all
reimbursable items and subconsultant fees, shall not exceed Forty Five Thousand Nine
Hundred Twenty Dollars and 00/100 ($45,920.00), without prior written authorization
from City. No billing rate changes shall be made during the term of this Agreement without
the prior written approval of City.
4.2 Consultant shall submit monthly invoices to City describing the Work
performed the preceding month. Consultant's bills shall include the name of the person
who performed the Work, a brief description of the Services performed and/or the specific
task in the Scope of Services to which it relates, the date the Services were performed,
the number of hours spent on all Work billed on an hourly basis, and a description of any
reimbursable expenditures. City shall pay Consultant no later than thirty (30) calendar
days after approval of the monthly invoice by City staff.
4.3 City shall reimburse Consultant only for those costs or expenses specifically
identified in Exhibit B to this Agreement or specifically approved in writing in advance by
City.
Shorebreak iThreat Security, LLC Page 2
4.4 Consultant shall not receive any compensation for Extra Work performed
without the prior written authorization of City. As used herein, "Extra Work" means any
Work that is determined by City to be necessary for the proper completion of the Project,
but which is not included within the Scope of Services and which the parties did not
reasonably anticipate would be necessary at the execution of this Agreement.
Compensation for any authorized Extra Work shall be paid in accordance with the
Schedule of Billing Rates as set forth in Exhibit B.
5. PROJECT MANAGER
5.1 Consultant shall designate a Project Manager, who shall coordinate all
phases of the Project. This Project Manager shall be available to City at all reasonable
times during the Agreement term. Consultant has designated Erik Ronstrom to be its
Project Manager. Consultant shall not remove or reassign the Project Manager or any
personnel listed in Exhibit A or assign any new or replacement personnel to the Project
without the prior written consent of City. City's approval shall not be unreasonably
withheld with respect to the removal or assignment of non -key personnel.
5.2 Consultant, at the sole discretion of City, shall remove from the Project any
of its personnel assigned to the performance of Services upon written request of City.
Consultant warrants that it will continuously furnish the necessary personnel to complete
the Project on a timely basis as contemplated by this Agreement.
5.3 If Consultant is performing inspection services for City, the Project Manager
and any other assigned staff shall be equipped with a cellular phone to communicate with
City staff. The Project Manager's cellular phone number shall be provided to City.
6. ADMINISTRATION
This Agreement will be administered by the City Manager's Office. City's IT
Manager or designee shall be the Project Administrator and shall have the authority to
act for City under this Agreement. The Project Administrator shall represent City in all
matters pertaining to the Services to be rendered pursuant to this Agreement.
7. CITY'S RESPONSIBILITIES
To assist Consultant in the execution of its responsibilities under this Agreement,
City agrees to provide access to and upon request of Consultant, one copy of all existing
relevant information on file at City. City will provide all such materials in a timely manner
so as not to cause delays in Consultant's Work schedule.
8. STANDARD OF CARE
8.1 All of the Services shall be performed by Consultant or under Consultant's
supervision. Consultant represents that it possesses the professional and technical
personnel required to perform the Services required by this Agreement, and that it will
perform all Services in a manner commensurate with community professional standards
and with the ordinary degree of skill and care that would be used by other reasonably
Shorebreak iThreat Security, LLC Page 3
competent practitioners of the same discipline under similar circumstances. All Services
shall be performed by qualified and experienced personnel who are not employed by City.
By delivery of completed Work, Consultant certifies that the Work conforms to the
requirements of this Agreement, all applicable federal, state and local laws, and legally
recognized professional standards.
8.2 Consultant represents and warrants to City that it has, shall obtain, and shall
keep in full force and effect during the term hereof, at its sole cost and expense, all
licenses, permits, qualifications, insurance and approvals of whatsoever nature that is
legally required of Consultant to practice its profession. Consultant shall maintain a City
of Newport Beach business license during the term of this Agreement.
8.3 Consultant shall not be responsible for delay, nor shall Consultant be
responsible for damages or be in default or deemed to be in default by reason of strikes,
lockouts, accidents, acts of God, or the failure of City to furnish timely information or to
approve or disapprove Consultant's Work promptly, or delay or faulty performance by
City, contractors, or governmental agencies.
9. HOLD HARMLESS
9.1 To the fullest extent permitted by law, Consultant shall indemnify, defend
and hold harmless City, its City Council, boards and commissions, officers, agents,
volunteers and employees (collectively, the "Indemnified Parties") from and against any
and all claims (including, without limitation, claims for bodily injury, death or damage to
property), demands, obligations, damages, actions, causes of action, suits, losses,
judgments, fines, penalties, liabilities, costs and expenses (including, without limitation,
attorneys' fees, disbursements and court costs) of every kind and nature whatsoever
(individually, a Claim; collectively, "Claims"), which may arise from or in any manner relate
(directly or indirectly) to any breach of the terms and conditions of this Agreement, any
Work performed or Services provided under this Agreement including, without limitation,
defects in workmanship or materials or Consultant's presence or activities conducted on
the Project (including the negligent, reckless, and/or willful acts, errors and/or omissions
of Consultant, its principals, officers, agents, employees, vendors, suppliers, consultants,
subcontractors, anyone employed directly or indirectly by any of them or for whose acts
they may be liable, or any or all of them).
9.2 Notwithstanding the foregoing, nothing herein shall be construed to require
Consultant to indemnify the Indemnified Parties from any Claim arising from the sole
negligence or willful misconduct of the Indemnified Parties. Nothing in this indemnity shall
be construed as authorizing any award of attorneys' fees in any action on or to enforce
the terms of this Agreement. This indemnity shall apply to all claims and liability
regardless of whether any insurance policies are applicable. The policy limits do not act
as a limitation upon the amount of indemnification to be provided by Consultant.
Shorebreak iThreat Security, LLC Page 4
10. INDEPENDENT CONTRACTOR
It is understood that City retains Consultant on an independent contractor basis
and Consultant is not an agent or employee of City. The manner and means of
conducting the Work are under the control of Consultant, except to the extent they are
limited by statute, rule or regulation and the expressed terms of this Agreement. No civil
service status or other right of employment shall accrue to Consultant or its employees.
Nothing in this Agreement shall be deemed to constitute approval for Consultant or any
of Consultant's employees or agents, to be the agents or employees of City. Consultant
shall have the responsibility for and control over the means of performing the Work,
provided that Consultant is in compliance with the terms of this Agreement. Anything in
this Agreement that may appear to give City the right to direct Consultant as to the details
of the performance of the Work or to exercise a measure of control over Consultant shall
mean only that Consultant shall follow the desires of City with respect to the results of the
Services.
11. COOPERATION
Consultant agrees to work closely and cooperate fully with City's designated
Project Administrator and any other agencies that may have jurisdiction or interest in the
Work to be performed. City agrees to cooperate with the Consultant on the Project.
12. CITY POLICY
Consultant shall discuss and review all matters relating to policy and Project
direction with City's Project Administrator in advance of all critical decision points in order
to ensure the Project proceeds in a manner consistent with City goals and policies.
13. PROGRESS
Consultant is responsible for keeping the Project Administrator informed on a
regular basis regarding the status and progress of the Project, activities performed and
planned, and any meetings that have been scheduled or are desired.
14. INSURANCE
Without limiting Consultant's indemnification of City, and prior to commencement
of Work, Consultant shall obtain, provide and maintain at its own expense during the term
of this Agreement or for other periods as specified in this Agreement, policies of insurance
of the type, amounts, terms and conditions described in the Insurance Requirements
attached hereto as Exhibit C, and incorporated herein by reference.
15. PROHIBITION AGAINST ASSIGNMENTS AND TRANSFERS
Except as specifically authorized under this Agreement, the Services to be
provided under this Agreement shall not be assigned, transferred contracted or
subcontracted out without the prior written approval of City. Any of the following shall be
construed as an assignment: The sale, assignment, transfer or other disposition of any
Shorebreak iThreat Security, LLC Page 5
of the issued and outstanding capital stock of Consultant, or of the interest of any general
partner or joint venturer or syndicate member or cotenant if Consultant is a partnership or
joint -venture or syndicate or co -tenancy, which shall result in changing the control of
Consultant. Control means fifty percent (50%) or more of the voting power or twenty-five
percent (25%) or more of the assets of the corporation, partnership or joint -venture.
16. SUBCONTRACTING
The subcontractors authorized by City, if any, to perform Work on this Project are
identified in Exhibit A. Consultant shall be fully responsible to City for all acts and
omissions of any subcontractor. Nothing in this Agreement shall create any contractual
relationship between City and any subcontractor nor shall it create any obligation on the
part of City to pay or to see to the payment of any monies due to any such subcontractor
other than as otherwise required by law. City is an intended beneficiary of any Work
performed by the subcontractor for purposes of establishing a duty of care between the
subcontractor and City. Except as specifically authorized herein, the Services to be
provided under this Agreement shall not be otherwise assigned, transferred, contracted
or subcontracted out without the prior written approval of City.
17. OWNERSHIP OF DOCUMENTS
17.1 Each and every report, draft, map, record, plan, document and other writing
produced, including but not limited to, websites, blogs, social media accounts and
applications (hereinafter "Documents"), prepared or caused to be prepared by Consultant,
its officers, employees, agents and subcontractors, in the course of implementing this
Agreement, shall become the exclusive property of City, and City shall have the sole right
to use such materials in its discretion without further compensation to Consultant or any
other party. Additionally, all material posted in cyberspace by Consultant, its officers,
employees, agents and subcontractors, in the course of implementing this Agreement,
shall become the exclusive property of City, and City shall have the sole right to use such
materials in its discretion without further compensation to Consultant or any other party.
Consultant shall, at Consultant's expense, provide such Documents, including all logins
and password information to City upon prior written request.
17.2 Documents, including drawings and specifications, prepared by Consultant
pursuant to this Agreement are not intended or represented to be suitable for reuse by
City or others on any other project. Any use of completed Documents for other projects
and any use of incomplete Documents without specific written authorization from
Consultant will be at City's sole risk and without liability to Consultant. Further, any and
all liability arising out of changes made to Consultant's deliverables under this Agreement
by City or persons other than Consultant is waived against Consultant, and City assumes
full responsibility for such changes unless City has given Consultant prior notice and has
received from Consultant written consent for such changes.
17.3 All written documents shall be transmitted to City in formats compatible with
Microsoft Office and/or viewable with Adobe Acrobat.
Shorebreak iThreat Security, LLC Page 6
18. CONFIDENTIALITY
All Documents, including drafts, preliminary drawings or plans, notes and
communications that result from the Services in this Agreement, shall be kept confidential
unless City expressly authorizes in writing the release of information.
19. INTELLECTUAL PROPERTY INDEMNITY
Consultant shall defend and indemnify City, its agents, officers, representatives
and employees against any and all liability, including costs, for infringement or alleged
infringement of any United States' letters patent, trademark, or copyright, including costs,
contained in Consultant's Documents provided under this Agreement.
20. RECORDS
Consultant shall keep records and invoices in connection with the Services to be
performed under this Agreement. Consultant shall maintain complete and accurate
records with respect to the costs incurred under this Agreement and any Services,
expenditures and disbursements charged to City, for a minimum period of three (3) years,
or for any longer period required by law, from the date of final payment to Consultant
under this Agreement. All such records and invoices shall be clearly identifiable.
Consultant shall allow a representative of City to examine, audit and make transcripts or
copies of such records and invoices during regular business hours. Consultant shall allow
inspection of all Work, data, Documents, proceedings and activities related to the
Agreement for a period of three (3) years from the date of final payment to Consultant
under this Agreement.
21. WITHHOLDINGS
City may withhold payment to Consultant of any disputed sums until satisfaction of
the dispute with respect to such payment. Such withholding shall not be deemed to
constitute a failure to pay according to the terms of this Agreement. Consultant shall not
discontinue Work as a result of such withholding. Consultant shall have an immediate
right to appeal to the City Manager or designee with respect to such disputed sums.
Consultant shall be entitled to receive interest on any withheld sums at the rate of return
that City earned on its investments during the time period, from the date of withholding of
any amounts found to have been improperly withheld.
22. ERRORS AND OMISSIONS
In the event of errors or omissions that are due to the negligence or professional
inexperience of Consultant which result in expense to City greater than what would have
resulted if there were not errors or omissions in the Work accomplished by Consultant,
the additional design, construction and/or restoration expense shall be borne by
Consultant. Nothing in this Section is intended to limit City's rights under the law or any
other sections of this Agreement.
Shorebreak iThreat Security, LLC Page 7
23. CITY'S RIGHT TO EMPLOY OTHER CONSULTANTS
City reserves the right to employ other Consultants in connection with the Project.
24. CONFLICTS OF INTEREST
24.1 Consultant or its employees may be subject to the provisions of the
California Political Reform Act of 1974 (the "Act") and/or Government Code §§ 1090 et
seq., which (1) require such persons to disclose any financial interest that may
foreseeably be materially affected by the Work performed under this Agreement, and (2)
prohibit such persons from making, or participating in making, decisions that will
foreseeably financially affect such interest.
24.2 If subject to the Act and/or Government Code §§ 1090 et seg., Consultant
shall conform to all requirements therein. Failure to do so constitutes a material breach
and is grounds for immediate termination of this Agreement by City. Consultant shall
indemnify and hold harmless City for any and all claims for damages resulting from
Consultant's violation of this Section.
25. NOTICES
25.1 All notices, demands, requests or approvals, including any change in
mailing address, to be given under the terms of this Agreement shall be given in writing,
and conclusively shall be deemed served when delivered personally, or on the third
business day after the deposit thereof in the United States mail, postage prepaid, first-
class mail, addressed as hereinafter provided.
25.2 All notices, demands, requests or approvals from Consultant to City shall
be addressed to City at:
Attn: IT Manager
City Managers Office
City of Newport Beach
100 Civic Center Drive
PO Box 1768
Newport Beach, CA 92658
25.3 All notices, demands, requests or approvals from City to Consultant shall
be addressed to Consultant at:
Attn: Ashleigh Brady
Shorebreak iThreat Security, LLC
2028 E. Ben White Blvd. Ste. 240-2650
Austin, TX 78732
Shorebreak iThreat Security, LLC Page 8
26. CLAIMS
Unless a shorter time is specified elsewhere in this Agreement, before making its
final request for payment under this Agreement, Consultant shall submit to City, in writing,
all claims for compensation under or arising out of this Agreement. Consultant's
acceptance of the final payment shall constitute a waiver of all claims for compensation
under or arising out of this Agreement except those previously made in writing and
identified by Consultant in writing as unsettled at the time of its final request for payment.
Consultant and City expressly agree that in addition to any claims filing requirements set
forth in the Agreement, Consultant shall be required to file any claim Consultant may have
against City in strict conformance with the Government Claims Act (Government Code
sections 900 et seq.).
27. TERMINATION
27.1 In the event that either party fails or refuses to perform any of the provisions
of this Agreement at the time and in the manner required, that party shall be deemed in
default in the performance of this Agreement. If such default is not cured within a period
of two (2) calendar days, or if more than two (2) calendar days are reasonably required
to cure the default and the defaulting party fails to give adequate assurance of due
performance within two (2) calendar days after receipt of written notice of default,
specifying the nature of such default and the steps necessary to cure such default, and
thereafter diligently take steps to cure the default, the non -defaulting party may terminate
the Agreement forthwith by giving to the defaulting party written notice thereof.
27.2 Notwithstanding the above provisions, City shall have the right, at its sole
and absolute discretion and without cause, of terminating this Agreement at any time by
giving no less than seven (7) calendar days' prior written notice to Consultant. In the
event of termination under this Section, City shall pay Consultant for Services
satisfactorily performed and costs incurred up to the effective date of termination for which
Consultant has not been previously paid. On the effective date of termination, Consultant
shall deliver to City all reports, Documents and other information developed or
accumulated in the performance of this Agreement, whether in draft or final form.
28. STANDARD PROVISIONS
28.1 Recitals. City and Consultant acknowledge that the above Recitals are true
and correct and are hereby incorporated by reference into this Agreement.
28.2 Compliance with all Laws. Consultant shall, at its own cost and expense,
comply with all statutes, ordinances, regulations and requirements of all governmental
entities, including federal, state, county or municipal, whether now in force or hereinafter
enacted. In addition, all Work prepared by Consultant shall conform to applicable City,
county, state and federal laws, rules, regulations and permit requirements and be subject
to approval of the Project Administrator and City.
28.3 Waiver. A waiver by either party of any breach, of any term, covenant or
condition contained herein shall not be deemed to be a waiver of any subsequent breach
Shorebreak iThreat Security, LLC Page 9
of the same or any other term, covenant or condition contained herein, whether of the
same or a different character.
28.4 Integrated Contract. This Agreement represents the full and complete
understanding of every kind or nature whatsoever between the parties hereto, and all
preliminary negotiations and agreements of whatsoever kind or nature are merged herein.
No verbal agreement or implied covenant shall be held to vary the provisions herein.
28.5 Conflicts or Inconsistencies. In the event there are any conflicts or
inconsistencies between this Agreement and the Scope of Services or any other
attachments attached hereto, the terms of this Agreement shall govern.
28.6 Interpretation. The terms of this Agreement shall be construed in
accordance with the meaning of the language used and shall not be construed for or
against either party by reason of the authorship of the Agreement or any other rule of
construction which might otherwise apply.
28.7 Amendments. This Agreement may be modified or amended only by a
written document executed by both Consultant and City and approved as to form by the
City Attorney.
28.8 Severability. If any term or portion of this Agreement is held to be invalid,
illegal, or otherwise unenforceable by a court of competent jurisdiction, the remaining
provisions of this Agreement shall continue in full force and effect.
28.9 Controlling Law and Venue. The laws of the State of California shall govern
this Agreement and all matters relating to it and any action brought relating to this
Agreement shall be adjudicated in a court of competent jurisdiction in the County of
Orange, State of California.
28.10 Equal Opportunity Employment. Consultant represents that it is an equal
opportunity employer and it shall not discriminate against any subcontractor, employee
or applicant for employment because race, religious creed, color, national origin,
ancestry, physical handicap, medical condition, marital status, sex, sexual orientation,
age or any other impermissible basis under law.
28.11 No Attorneys' Fees. In the event of any dispute or legal action arising under
this Agreement, the prevailing party shall not be entitled to attorneys' fees.
28.12 Counterparts. This Agreement may be executed in two (2) or more
counterparts, each of which shall be deemed an original and all of which together shall
constitute one (1) and the same instrument.
[SIGNATURES ON NEXT PAGE]
Shorebreak iThreat Security, LLC Page 10
IN WITNESS WHEREOF, the parties have caused this Agreement to be executed
on the dates written below.
APPROVED AS TO FORM: CITY OF NEWPORT BEACH,
CITY ATTOR !EY'A OFFICE a California municipal corporation
Date: Rio 5 Date: Z3
Y
Aar n arp y3 Grace K. Leung
Ci y Att ri o Via- City Manager
ATTEST:
Date:
By: �' Al2==� 'k
Leilani I. Bro
City Clerk
�'4 [. I F O i%
CONSULTANT:
SHOREBREAK iTHREAT SECURITY,
LLC, a Delaware corporation
Date:
Signed in Counterpart
By:
John Benjamin Gray
Chief Executive Officer
Date:
Signed in Counterpart
By:
Casey Moore
Assistant Treasurer
[END OF SIGNATURES]
Attachments: Exhibit A — Scope of Services
Exhibit B — Schedule of Billing Rates
Exhibit C — Insurance Requirements
Shorebreak iThreat Security, LLC Page 11
IN WITNESS WHEREOF, the parties have caused this Agreement to be executed
on the dates written below.
APPROVED AS TO FORM: CITY OF NEWPORT BEACH,
CITY ATY' OFFICE a California municipal corporation
Date:- 5 �l0 23 Date:
By: By.
Aar C. arp Grace K. Leung
C4 Attorne City Manager
ATTEST: CONSULTANT:
Date: SHOREBREAK iTHREAT SECURITY,
LLC, a Delppr7corporation
Date: Ko // 20 23
By: ByAief
Leilani I. Brown njamin ray
City Clerk xecutive Officer
�-
By:_.. rh
Casey Moore 61
Assistant Treasurer
[END OF SIGNATURES]
Attachments: Exhibit A — Scope of Services
Exhibit B — Schedule of Billing Rates
Exhibit C — Insurance Requirements
Shorebreak iThreat Security, LLC Page 11
EXHIBIT
SCOPE OF SERVICES
Shorebreak iThreat Security, LLC Page A-1
Scope of Services
Phase i - Project Planning, Rules of Engagement Development
Shorebreak Security will work cooperatively with City of Newport Beach CA to develop a project
plan and a Rules of Engagement (ROE) document. The ROE document itself will identify
milestones, the schedule, staffing for each milestone, tools, techniques and methodology,
exclusions, risk mitigation strategies and contact information.
Prior to the beginning of testing, Shorebreak Security will ensure that both the test team and City
of Newport Beach CA staff share a common vision, goals and objectives for the test.
Phase 2 - External Penetration Vulnerability Testing
During this phase, Shorebreak Security will perform a network penetration test and web
application assessment of the City of Newport Beach CA external network(s). This phase will
include penetration and vulnerability assessment from the Internet, emulating the largest threat
source, the Internet -borne attacker.
Shorebreak Security intends to utilize two engineers over the course of one work
week for this task.
The Shorebreak Security team will conduct a controlled penetration test to identify weaknesses in
the external security perimeter of the City of Newport Beach CA network. Where vulnerabilities are
identified, the penetration testing team will exploit and validate the vulnerabilities, attempting to
gain access to, and control of selected systems. Initial efforts of the penetration team will be to
identify vulnerabilities in systems that can be reached from the Internet and to logically map the
gateway topology. The ultimate goal is to determine if unauthorized access to the internal City of
Newport Beach CA network and systems is possible.
The testing will be nondestructive in nature (i.e. there will be no denial of service attacks
mounted). However, where applicable, systems and configurations susceptible to denial of service
attacks will be noted. The Shorebreak Security team maintains a test lab where test tools are
developed and tested. No tools or techniques are used on client systems without first being
thoroughly tested.
Specific goals of the external testing are to:
• Identify external points of access to City of Newport Beach CA networks, in the same
manner as a real -world attacker would
• Identify vulnerabilities in externally accessible systems
• Utilize cutting edge tools and techniques to validate discovered vulnerabilities and
determine their overall impact
• Identify potential vulnerabilities in network access controls, firewalls, routers, and the
designed network topology, even if they do not immediately provide access to the internal
network
• Determine if it is possible to exploit the identified vulnerabilities and the network design
and topology to gain access to the internal network from the Internet
External testing will be accomplished across the Internet from the Shorebreak Security team's test
labs, which are protected from intrusion by a combination of firewalls, router filters, and
system -level controls, such as host -level firewalls with intrusion detection and encrypted logons.
The major steps of the vulnerability and penetration assessment are: (i) information gathering, (2)
vulnerability assessment, (3) system penetration, and (4) expansion of penetration. In some cases,
vulnerabilities of one or more components may be exploited to provide stepping -stones to exploit
other components. In this way, it can be determined if two or more minor vulnerabilities can be
combined to create a much greater risk of intrusion.
Though the specific tests vary based on the topology and exposed systems making up a gateway
network, the overall methodology is described in the following sections.
Information Gathering and Research
• Passive Information Gathering - Prior to the beginning of active penetration efforts, the
Shorebreak Security Test Team will conduct an extensive research effort to gather
information on the Client networks and components. The collection of publicly available
information concerning a target network is a vital first step in a penetration effort. A wealth
of information about any public network is available via a series of internetworking system
services, as well as through use of information gathering tools. The types and importance of
the information varies with each service and tool, but together this information can be used
to identify potential vulnerabilities that may enable a successful penetration of the network
perimeter.
• Active Network and System Services Discovery - Physical network design and routing
information can often be determined through use of IP scanning tools, traceroute, and
probes against various routing protocols. First, the team uses IP scanning tools to perform
discovery of systems within the customer's gateway IP addresses. Each system that is
discovered is scanned for active network services, using a combination of public,
commercial off the shelf and proprietary scanning tools. The choice of tool will be
determined by the size of the address block, but the results of the scanning tools are
comparable for this purpose. These scans will show the common results of the set of hosts
and services which are active on the target systems and the set of services which are
permitted to pass through any firewalls or routing filters. In many cases, it will also show
which services are being blocked by firewall or routing filters.
Vulnerability Assessment of Exposed Systems
• Each exposed system will be evaluated for vulnerabilities that reduce its security profile.
Though there are far too numerous specific vulnerabilities to discuss in detail here, the
following paragraphs discuss the process for identifying some of the major types of
vulnerabilities.
• Vulnerable Versions of Software - Many systems that have not been updated are running
vulnerable versions of software that provides network services. These outdated network
services contain software bugs that enable the service to be manipulated into providing
information, or even providing unauthorized access to the system. Therefore, once all
active hosts and services have been identified, we will probe these services to identify their
make and versions, and will cross-reference the active services against a database of
potentially vulnerable services.
• Anonymous Access - In addition to versions of software, simple configuration errors and
insecure use of certain protocols can permit the compromise of a system. Systems that
might permit anonymous access are checked for anonymous read, and even more
importantly, anonymous write access. If access is discovered, an Engineer checks the
service to determine if access exists to directories that might be used to create
unauthorized access, denial of service, or to plant malicious software. Services that
commonly provide anonymous access include HTTP (web), FTP and TFTP (file transfer),
and network file sharing.
• Weak Protocols - A number of services rely on processes that are weakly authenticated, not
authenticated at all, or weakly protected from eavesdropping. These protocols and services
may be vulnerable to attacks that exploit the services or take advantage of the lack of
authentication. Systems that have such services are checked for access controls and
susceptibility to spoofing and exploitation of trust relationships. In this way,
recommendations are not only offered about the dangers of the general use of some of the
more vulnerable of these services, but specific services that are vulnerable to known attacks
in the active configurations and versions are listed in the vulnerabilities.
• VPN Testing — The high prevalence of Virtual Private Network installations now means
that internal networks can be exposed with a single vulnerability in the VPN server or a
misconfiguration that results in weak internal passwords for guest or service accounts
being used to authenticate to a VPN server. All externally exposed VPN services are
checked for common vulnerabilities, patch levels, and weak authentication.
Penetration of Gateway Network
• The actual penetration methodology is a three step, repetitive process that mirrors an effort
by a knowledgeable, motivated hacker. The team must gain initial access to at least one
system within the gateway network. Next, the team will increase their access to gain
administrative control of any compromised system. Finally, the team then may use the
compromised system as a platform from which to repeat data gathering and penetration of
other systems in the gateway, or sometimes even in the internal network, to determine if
multiple vulnerabilities can be added together to compromise the internal network or other
parts of the client's critical infrastructure.
• Initial Penetration of Exposed Systems - Once the exposed vulnerabilities have been
identified and mapped, the Shorebreak Security Test Team will attempt to gain access to
exposed systems. The selection of specific exploits (attacks) to be used against a system will
be based on each system's operating system version and the services that are running on it.
Since operating systems and services vary widely, exploiting them requires an in-depth
knowledge of the potential security flaws of each operating system, as well as a working
collection of exploits for all common system services. Our penetration methods have been
developed from published exploits, security advisories, and from attacks that have been
developed in-house. Due to the large number of potential exploits (attacks), it is impossible
to describe each here. However, some of the more common system attacks are listed below.
• Hypertext Transfer Protocol (HTTP) : Commonly known as web servers, these
servers commonly have outdated patch levels that can allow an attacker to
immediately penetrate the server, gaining access to a command line. These servers
also include web scripting languages such as ASP or PHP and compiled languages
such as Java. Applications written in such languages frequently contain logic flaws
of SQL injection vulnerabilities that allow for code execution or data leakage. The
more complex the web application the more likely it is to contain such flaws.
• File Transfer Protocol (FTP) and Trivial File Transfer Protocol (TFTP) :
Misconfigured FTP and TFTP servers may provide attack opportunities, such as
allowing file access attacks and exploiting the use of trust relationships. If present
and improperly configured, both services can provide access to valid userids or to
encrypted passwords.
• Remote Access Services : Services such as Citrix Metaframe, GoToMyPC, or
PC -Anywhere are often configured in such a way as to allow service or test accounts
access to a remote desktop. These services usually provide an attacker with the
equivalent of an internal desktop connection.
• Rogue Internet Connections and Services : Large organizations with multiple
remote offices can fall victim to a policy of securing the primary Internet gateways
but neglecting to secure the gateways provided to smaller offices. These offices
usually have either a backdoor network connection to the internal network or a
VPN connection to the central office, but may rely on a simple DSL modem for
security or even no firewall at all.
• Administrative Control of Compromised Systems - Once a normal user shell account is
achieved, the Test Team will attempt to obtain administrative privilege, which is
tantamount to having total system and application control (except perhaps to some
databases). Many of the same exploits used to gain user -level access on a system can be
used locally to gain root or administrator access. In addition, misconfigurations and
software bugs may be used to obtain increased privileges.
• Expanding The Scope of Access - Once administrative control of a system is obtained, that
system then becomes a potential platform from which the team will survey and attack other
portions of the network that may not be directly reachable from the Internet. In this way, it
is possible to expand the penetration of a single system into a much larger compromise.
Some of the methods that are often used to expand the compromised access include
discovery scanning to identify newly "visible" systems, sniffing traffic for credentials with
escalated privileges, and identifying then exploiting trust relationships to gain access to
additional assets.
The ultimate goal is to determine if the identified external vulnerabilities can be leveraged into
access of critical City of Newport Beach CA systems, or even the internal network.
' W
Phase 3 - External Web Application Penetration Testing,
m IN
Where network penetration testing tests Operating System and service level security, web
application -specific testing is designed to test the security controls within the web application
itself. Testing will identify vulnerabilities in the use of encryption, authentication, authorization,
session management, application logic, web server configuration and numerous other critical areas
of concern. Attempts will be made to gain unauthorized access to information or services beyond
the intent of the applications. Three external websites will be tested in this phase.
Shorebreak Security intends utilizing two engineers over the course of two work
weeks for this task.
Shorebreak Security will test the application from the following perspectives (roles):
• Unauthenticated user
• Non -privileged user
• Administrative user
There may be additional roles specific to each individual application selected for testing. The goal
of role -based testing is to check both the logic and the authorization controls of the application to
ensure that users cannot escalate privileges.
Note: Shorebreak Security will require test accounts at each privilege level be created.
Though automated scanners may be used, the majority of the web application penetration testing
efforts will be conducted manually, and intentionally. As with network penetration testing,
Shorebreak will not simply identify issues. We are often able to demonstrate issues by producing
proof -of -concept code.
During a web application assessment, Shorebreak Security will check for web based vulnerabilities
such as SQL Injection, Cross Site Scripting, Command Injection, File substitution, File includes,
and other vulnerabilities associated with insufficient server side data validation.
We will also look for privilege escalation and permissions bypass issues, as well as other types of
application logic flaws that may result in compromise of the application or the data it accesses.
Below are just a few of the types of common issues that we look for in while performing web
application assessments:
• Broken Access Control
• Broken Authentication
• Session Management Issues
• Privilege Escalation
• Role Enforcement Issues
• Cross Site Request Forgery
• Input Validation/Injection Flaws (Cross Site Scripting (XSS), Arbitrary Command
Execution, SQL Injection, LDAP Injection, Buffer/Integer Overflows, etc)
• Improper Error Handling
• Insecure Storage
• Information Disclosure Issues
• Insecure Web Server Configuration (such as Directory Indexing, Cross Site Tracing,
WebDAV, Verbose Error Messages, etc)
• Application Information Disclosure
• File Upload/Download Issues
• Directory Traversal
• Local and Remote File Includes
• Application Logic Flaws
Phase 4 - Internal Network & Application Vulnerability Testing
During this phase, Shorebreak Security will perform a network penetration test and web
application assessment of the City of Newport Beach CA internal network(s), along with
location -specific testing to determine the the security of wireless networks at up to 23 remote site
networks. This phases also includes unauthenticated testing of 3 City of Newport Beach CA
applications, including the accessibility both internally and externally to test the application
security and code vulnerability.
Shorebreak Security intends to utilize four engineers over the course of one work
week for this task.
At the start of the internal assessment, the Shorebreak Security team and City of Newport Beach
CA representatives will meet to discuss external assessment actions and findings, to orientate the
test team to the facilities, and to discuss interviews that will be necessary for the cooperative
portion of the assessment.
The internal assessment provides the ability to examine system -level vulnerabilities that may not
be directly accessible from the Internet, as well as network controls designed to limit the potential
damage if a compromise occurs. In this way, the effort can identify vulnerabilities that create risk,
not only if the external perimeter, but also from internal threats. Though the Internet represents a
large volume of malicious threats, FBI reports confirm that most computer crime is still conducted
internally. This is because of the opportunity for unauthorized actions presented to internal users.
The internal assessment will begin with a network discovery and data collection effort designed to
logically map the network and identify systems with active vulnerable services. Some penetration
techniques will be employed to validate and demonstrate vulnerabilities, to determine if multiple
vulnerabilities can be combined to create the risk of intrusion, or to perform in-depth
configuration reviews of selected systems.
Specific goals of the internal testing are:
• Logically map the internal network, and identify types and functions of systems within
• Identify internal network topology and design vulnerabilities
• Identify vulnerabilities in internal network components, such as routers and switches
• Identify system -level vulnerabilities in operating systems and their configuration
• Identify vulnerabilities in web and other applications
• Utilize cutting edge tools and techniques to exploit and validate discovered vulnerabilities
and determine their overall impact
• Identify potential vulnerabilities in network access controls, firewalls, routers, and the
designed network topology
• Determine if visitor Wifi networks are adequately separated from City of Newport Beach
CA internal networks
• Determine if Wifi networks at up to 4 locations are adequately secured
Internal Information Gathering and Network Discovery
Similar to the external testing, the internal assessment will begin with a network discovery and
data collection effort. The internal network discovery will be designed to logically map the network
and identify active systems that are running potentially vulnerable services. As the systems are
scanned and active services identified, the Shorebreak Security team analysts will probe them to
discover operating system and software types and versions. In addition, engineers will probe the
systems to determine if existing configurations permit the systems to leak information to an
intruder. In these cases, we will use public domain and proprietary information gathering tools to
collect such information as account policies, user IDs, group memberships, exported directories or
shares, and accounts with weak passwords.
At the conclusion of the information -gathering portion of the task, the assessment team will be
able to identify the systems with the most potential vulnerabilities.
As explained in external testing, we expend exhaustive efforts to ensure that data is not modified
and that authorized user access to City of Newport Beach CA systems and networks is not
impeded. Also, as in the external testing, denial of service attacks are not executed, but as denial of
service vulnerabilities are identified during the effort, they will be documented and
recommendations will be made to correct them.
Internal Technical Vulnerability Assessment
As previously described, identified systems will be evaluated for vulnerabilities that reduce their
security profile. Vulnerabilities often include vulnerable versions of software, excessive or
insecurely controlled anonymous access, and vulnerable Remote Procedure Call (RPC) services. In
addition, the findings of the discovery and vulnerability identification effort will be used to probe
and identify interdependent -system and network security controls and authentication systems.
Particular focus during the internal assessment is paid to the following configurations:
• Windows Active Directory structures and security settings
• Single sign -on or password synchronized relationships
• Infrastructure management systems
• Connections from the corporate network to the remote branch office networks
Internal Penetration and In-depth Assessment of System Inter -dependencies
Once vulnerable systems are identified, they will be prioritized for penetration. Target systems will
be chosen from those that represent some strategic significance within the network. For example,
Active Directory domain controllers and a representative sample of other Windows servers and
workstations are normally selected for penetration to review access controls of the domains in
general and consistency across the domains. Other examples may include UNIX database, web,
and DNS servers, a server that resides on a gateway between two segments of the WAN, network
management servers, single sign -on authentication servers, RADIUS servers, etc. The selection of
specific exploits (attacks) to be used in penetration testing will be based on each system's
operating system version and active services.
Also during the internal, the Shorebreak Security team will expend special focus to identify and
determine the risk of connections to remote networks.
Cooperative Security Review - Staff Interviews and Configuration Reviews
During the on -site visit, the Shorebreak Security team will conduct a cooperative review intended
to assess policies and practices that may enable vulnerabilities to come into being. The Shorebreak
Security team will interview senior network architects, engineers, administrators, security officers
and associated managers. Specific questions will be asked about the following general subject
areas:
• Identification of IT assets and network configuration
• Inter -network connectivity to include business partners, other agencies, remote offices,
dial -in gateways, firewalls, border routers, inner -network routers, critical servers, device
auditing capabilities, security event monitoring, and host/workstation configurations
• Critical network functionality in the business process/critical services/critical applications
• Current security policies, practices, and procedures
• Primary security concerns for both administrators and normal users
If the IT policies and practices do not adequately provide guidance to support sound IT security
practices, time will tend to erode the benefit of any security safeguard improvements made as a
result of security testing. Therefore, we will collect and review existing City of Newport Beach CA
policies to determine if they offer a sound framework for network and system engineers and
administrators to design and implement secure practices. During technical discussions and
configuration reviews, Shorebreak Security team Security Engineers will review the City of
Newport Beach CA guidance that administrators typically work from and determine if the
guidance is adequate and if it is being properly implemented. Recommendations in this area will
be oriented toward establishing policies and practices that will prevent the occurrence of future
vulnerabilities.
During this phase, the Shorebreak Security team may also perform a hands-on analysis of a
representative selection of City of Newport Beach CA systems to ensure that the technical
implementations match the described configurations and to look for weaknesses in the technical
implementation of each system. These configuration reviews typically include firewall rules and
policy, router configurations, and systems that protect or control critical systems and
infrastructure.
This portion of the security assessment will be accomplished in cooperation with applicable
network and system administrators. The cooperative reviews help ensure that no vulnerabilities
are overlooked through chance or opportunity, they play a role in properly assessing the level of
risk represented by the identified vulnerabilities, as well as ensuring that recommendations to
mitigate identified risk are practical and cost-effective in the existing IT environment.
Phase 5 - Social Engineering: Phishing Campaign
During this phase, Shorebreak will conduct multiple phishing campaigns that span multiple user
groups order to test City of Newport Beach CA users and security controls. The campaigns will
begin with a baseline scenario that is relatively to easy to detect and will increase in complexity
and difficulty (to detect).
For example - Shorebreak expects that administrative users (HR, accounting, etc) should be easier
to trick than Information Technology staff members, and will design the campaigns to ensure all
target groups are tested adequately. The campaigns sent to IT staff will be much more complex, as
those personnel should be more aware of the threat of phishing.
The primary steps include:
• Map and harvest City of Newport Beach CA Internet presence
• Cooperatively develop attack scenario
• Harvest Email addresses
• Create "fake" website
• Email City of Newport Beach CA users to click a link pointing to the fake website
• Coax users to enter credentials
• Train "victim" users
• Conduct assessment
• Report statistics
Shorebreak Security will adapt and deliver the campaign City of Newport Beach CA requires upon
further discussion.
Phase 6 - Report Development, Deliverables, and Ontbrief
The following documentation will be provided for completion of the project:
• Rules of engagement — document laying out mutual understanding of the assessment and
the impact on CNB
• Scoping session to determine breadth and depth of each type of testing:
• Identify and document tests and activities to be performed
• Identify and document tools to be used to perform activities
• Document findings and results for each of the tests that is performed
• Recommendations for risk mitigation, industry standard fines and retesting process
• Project plan, including schedule, milestones, communication plan, issues list, weekly status
reports, and meetings as determined in consultation with project leadership
• Detailed Minimum of four leadership meetings throughout the engagement with CNB
leadership
• An executive summary of the testing, findings and recommendations
• Documentation of the approach, findings, recommendations and roadmap associated with
this project that includes estimated costs and prioritization
• Analysis of the following areas with resulting actionable items, including, but not limited
to:
• Vulnerability scanning and assessment
• Network penetration testing — includes an analysis of vulnerability to social
engineering and phishing
• Critical systems configuration analysis
• Organizational assessment
• Application security analysis recommendations
• Wireless network
• Analysis of staff phishing engagement based on:
• Baseline activity
• Each pool of users identified and tested
• Complexity of each of the phishing campaigns
• Analysis and recommendations based on findings in several CNB locations across the City
of Newport Beach
All aspects of the penetration test will be thoroughly documented and screenshots will be
provided. We view our work as important and somewhat instructive, and are happy to explain the
process, our techniques and tools along the way and also in the report.
The documents will be provided in Draft format and will be submitted in an encrypted manner to
the appropriate City of Newport Beach CA staff members for review and feedback. After review
and feedback from City of Newport Beach CA, the documents will be finalized.
Shorebreak Security will conduct an out brief at the conclusion of the engagement, and also at the
conclusion of each phase if requested.
Optional Items
Note: Optional items are not included in proposal fees
Option 1- Remediation Follow Up Testing
Shorebreak will conduct follow up testing to validate that previously identified findings have been successfully
remediated. This testing is expected to be conducted within 3 months of conclusion of the initial/baseline
penetration test and will be invoiced separately.
As previously mentioned, remediation follow up testing occurring in the original assessment window is included at
no charge.
City of Newport Beach CA acknowledges that there are inherent risks when conducting this type of security testing.
The major risks are:
• Denial of Service (DoS) of the entire system or specific components
• System performance degradation
The risk of DoS can never be completely mitigated, but through careful and purposeful testing, and ongoing
communication with City of Newport Beach CA technical staff members, the risk can be greatly reduced to an
acceptable level. Before any testing takes place, the test team will learn the purpose of the system, its major
components, critical operations and functions of the system, and any components that are particularly sensitive to
security testing. Once the test team learns of sensitive systems or components, they will discuss with City of Newport
Beach CA technical and managerial staff members the best way to conduct the testing, and will only proceed with
testing once an agreement has been made.
The risk of system performance degradation can be mitigated if the test team learns of the limitations of the system.
For example: a system may have several remote components or networks that communicate via slower frame relay
links Typical testing may completely overwhelm the frame relay link, so the test team will throttle their testing to
ensure the link is not overwhelmed with testing traffic.
Mitigation actions can only take place if the risks are well known, so it is critical that the test team and City of
Newport Beach CA technical staff communicate effectively before any testing takes place. This document is the key
piece of the communication between the involved parties. If testing proves to be having a detrimental effect on
operations, City of Newport Beach CA has the option to stop testing and have an analysis of the activities
accomplished, and then schedule a make-up time segment to complete testing activities as may be appropriate.
1*A/'I�J���J
SCHEDULE OF BILLING RATES
Shorebreak iThreat Security, LLC Page B-1
Fee Summary
PHASE
Phase 1- Project Planning, Rules of Engagement Development
Phase 2 - External Penetration Testing
Phase 3 - External Web Application Penetration Testing
Phase 4 - Internal Network and Web Application Penetration Testing
Phase 5 - Social Engineering - Spearphishing 5 Campaigns
Phase 6 - Report Development, Deliverable, and Out Brief
Discounted Price
Option 1- Remediation Validation Testing
Cost Hours
$1,000.00 4.00
$9,600.00 64.00
$12,000.00
80.00
$18,000.00
120.00
$12,000.00
80.00
$4,800.00 32.00
TOTAL $57,400.00 380.00
Discount 20%
$45,920.00
$6,000.00 24.00
Discounted Price $4,800.00
Page 1 of 1
EXHIBIT C
INSURANCE REQUIREMENTS — PROFESSIONAL SERVICES
1. Provision of Insurance. Without limiting Consultant's indemnification of City, and
prior to commencement of Work, Consultant shall obtain, provide and maintain at
its own expense during the term of this Agreement, policies of insurance of the
type and amounts described below and in a form satisfactory to City. Consultant
agrees to provide insurance in accordance with requirements set forth here. If
Consultant uses existing coverage to comply and that coverage does not meet
these requirements, Consultant agrees to amend, supplement or endorse the
existing coverage.
2. Acceptable Insurers. All insurance policies shall be issued by an insurance
company currently authorized by the Insurance Commissioner to transact
business of insurance in the State of California, with an assigned policyholders'
Rating of A- (or higher) and Financial Size Category Class VII (or larger) in
accordance with the latest edition of Best's Key Rating Guide, unless otherwise
approved by the City's Risk Manager.
3. Coverage Requirements.
A. Workers' Compensation Insurance. Consultant shall maintain Workers'
Compensation Insurance, statutory limits, and Employer's Liability
Insurance with limits of at least one million dollars ($1,000,000) each
accident for bodily injury by accident and each employee for bodily injury by
disease in accordance with the laws of the State of California, Section 3700
of the Labor Code.
Consultant shall submit to City, along with the certificate of insurance, a
Waiver of Subrogation endorsement in favor of City, its City Council, boards
and commissions, officers, agents, volunteers and employees.
B. General Liability Insurance. Consultant shall maintain commercial general
liability insurance, and if necessary umbrella liability insurance, with
coverage at least as broad as provided by Insurance Services Office form
CG 00 01, in an amount not less than one million dollars ($1,000,000) per
occurrence, two million dollars ($2,000,000) general aggregate. The policy
shall cover liability arising from premises, operations, personal and
advertising injury, and liability assumed under an insured contract (including
the tort liability of another assumed in a business contract).
C. Automobile Liability Insurance. Consultant shall maintain automobile
insurance at least as broad as Insurance Services Office form CA 00 01
covering bodily injury and property damage for all activities of Consultant
arising out of or in connection with Work to be performed under this
Agreement, including coverage for any owned, hired, non -owned or rented
vehicles, in an amount not less than one million dollars ($1,000,000)
combined single limit each accident.
Shorebreak iThreat Security, LLC Page C-1
D. Professional Liability (Errors & Omissions) Insurance. Consultant shall
maintain professional liability insurance that covers the Services to be
performed in connection with this Agreement, in the minimum amount of
one million dollars ($1,000,000) per claim and two million dollars
($2,000,000) in the aggregate. Any policy inception date, continuity date,
or retroactive date must be before the Effective Date of this Agreement and
Consultant agrees to maintain continuous coverage through a period no
less than three years after completion of the Services required by this
Agreement.
E. Cyber Liability. Contractor shall maintain cyber liability insurance with limits
of not less than one million dollars ($1,000,000) per occurrence and two
million dollars ($2,000,000) annual aggregate covering (1) all acts, errors,
omissions, negligence, infringement of intellectual property, (2) network
security and privacy risks, including but not limited to unauthorized access,
failure of security, breach of privacy perils, wrongful disclosure, collection,
or negligence in the handling of confidential information, privacy perils,
including coverage for related regulatory defense and penalties, and (3)
data breach expenses payable whether incurred by City or Contractor,
including but not limited to consumer notification, whether or not required
by law, computer forensic investigations, public relations and crisis
management firm fees, credit file or identity monitoring or remediation
services, in the performance of services for City or on behalf of City
hereunder.
4. Other Insurance Requirements. The policies are to contain, or be endorsed to
contain, the following provisions:
A. Waiver of Subrogation. All insurance coverage maintained or procured
pursuant to this Agreement shall be endorsed to waive subrogation against
City, its City Council, boards and commissions, officers, agents, volunteers
and employees or shall specifically allow Consultant or others providing
insurance evidence in compliance with these requirements to waive their
right of recovery prior to a loss. Consultant hereby waives its own right of
recovery against City, and shall require similar written express waivers from
each of its subconsultants.
B. Additional Insured Status. All liability policies including general liability,
excess liability, pollution liability, and automobile liability, if required, but not
including professional liability, shall provide or be endorsed to provide that
City, its City Council, boards and commissions, officers, agents, volunteers
and employees shall be included as insureds under such policies.
C. Primary and Non Contributory. All liability coverage shall apply on a primary
basis and shall not require contribution from any insurance or self-insurance
maintained by City.
D. Notice of Cancellation. All policies shall provide City with thirty (30)
calendar days' notice of cancellation (except for nonpayment for which ten
Shorebreak iThreat Security, LLC Page C-2
(10) calendar days' notice is required) or nonrenewal of coverage for each
required coverage.
5. Additional Agreements Between the Parties. The parties hereby agree to the
following:
A. Evidence of Insurance. Consultant shall provide certificates of insurance to
City as evidence of the insurance coverage required herein, along with a
waiver of subrogation endorsement for workers' compensation and other
endorsements as specified herein for each coverage. Insurance certificates
and endorsement must be approved by City's Risk Manager prior to
commencement of performance. Current certification of insurance shall be
kept on file with City at all times during the term of this Agreement. The
certificates and endorsements for each insurance policy shall be signed by
a person authorized by that insurer to bind coverage on its behalf. At least
fifteen (15) days prior to the expiration of any such policy, evidence of
insurance showing that such insurance coverage has been renewed or
extended shall be filed with the City. If such coverage is cancelled or
reduced, Consultant shall, within ten (10) days after receipt of written notice
of such cancellation or reduction of coverage, file with the City evidence of
insurance showing that the required insurance has been reinstated or has
been provided through another insurance company or companies. City
reserves the right to require complete, certified copies of all required
insurance policies, at any time.
B. City's Right to Revise Requirements. City reserves the right at any time
during the term of the Agreement to change the amounts and types of
insurance required by giving Consultant sixty (60) calendar days' advance
written notice of such change. If such change results in substantial
additional cost to Consultant, City and Consultant may renegotiate
Consultant's compensation.
C. Right to Review Subcontracts. Consultant agrees that upon request, all
agreements with subcontractors or others with whom Consultant enters into
contracts with on behalf of City will be submitted to City for review. Failure
of City to request copies of such agreements will not impose any liability on
City, or its employees. Consultant shall require and verify that all
subcontractors maintain insurance meeting all the requirements stated
herein, and Consultant shall ensure that City is an additional insured on
insurance required from subcontractors. For CGL coverage,
subcontractors shall provide coverage with a format at least as broad as CG
20 38 04 13.
D. Enforcement of Agreement Provisions. Consultant acknowledges and
agrees that any actual or alleged failure on the part of City to inform
Consultant of non-compliance with any requirement imposes no additional
obligations on City nor does it waive any rights hereunder.
Shorebreak iThreat Security, LLC Page C-3
E. Requirements not Limiting. Requirements of specific coverage features or
limits contained in this Section are not intended as a limitation on coverage,
limits or other requirements, or a waiver of any coverage normally provided
by any insurance. Specific reference to a given coverage feature is for
purposes of clarification only as it pertains to a given issue and is not
intended by any party or insured to be all inclusive, or to the exclusion of
other coverage, or a waiver of any type. If the Consultant maintains higher
limits than the minimums shown above, the City requires and shall be
entitled to coverage for higher limits maintained by the Consultant. Any
available insurance proceeds in excess of the specified minimum limits of
insurance and coverage shall be available to the City.
F. Self -insured Retentions. Any self -insured retentions must be declared to
and approved by City. City reserves the right to require that self -insured
retentions be eliminated, lowered, or replaced by a deductible. Self-
insurance will not be considered to comply with these requirements unless
approved by City.
G. City Remedies for Non -Compliance. If Consultant or any subconsultant fails
to provide and maintain insurance as required herein, then City shall have
the right but not the obligation, to purchase such insurance, to terminate this
Agreement, or to suspend Consultant's right to proceed until proper
evidence of insurance is provided. Any amounts paid by City shall, at City's
sole option, be deducted from amounts payable to Consultant or reimbursed
by Consultant upon demand.
H. Timely Notice of Claims. Consultant shall give City prompt and timely notice
of claims made or suits instituted that arise out of or result from Consultant's
performance under this Agreement, and that involve or may involve
coverage under any of the required liability policies. City assumes no
obligation or liability by such notice, but has the right (but not the duty) to
monitor the handling of any such claim or claims if they are likely to involve
City.
Consultant's Insurance. Consultant shall also procure and maintain, at its
own cost and expense, any additional kinds of insurance, which in its own
judgment may be necessary for its proper protection and prosecution of the
Work.
Shorebreak iThreat Security, LLC Page C-4
Q 2 191 �+ 25
Q Search
slt Insured
Insured Name
Name:
Shorebreak iThreat Security, LLC
Shorebreak iThreat Security, LLC (FV000(
Q
Account Number:
FV00001013
Shorebreak iThreat Security, LLC
Address:
2028 E Ben White Blvd Ste. 240-
2650, Austin, TX, 78732
Active Records Only
Status:
Compliant with Waived
Advance Search
Deficiencies.
Insured Tasks Admin Tools
Insured
View
Business Unit(s)
Print Insured Info
Insured
Account Information
Notes
) History
Account Number:
FV00001013
Risk Type:
Professional
Deficiencies
—
Services
Agreement
• Coverages
Do Not Call:
Address Updated:
Requirements
Address Information
Add
Mailing Address
Physical Address
Edit
Insured:
Shorebreak
Help
iThreat
Security,
Video Tutorials
LLC
Address 1:
2028 E Ben
White Blvd
Ste. 240-
2650
Address 2:
City:
Austin
C+o+o •
TV